Data center cable security

ABSTRACT

A system and method for providing cable security in a network is generally described. The method includes receiving a request to remove a cable, where the request includes a first password and a second password, and wherein the cable connects a first port and a second port. The method further includes determining a first authenticity of the first password. After determining the first authenticity of the first password, the method further includes suspending a data flow through the cable, virtually mapping, by a storage device configuration unit, the first port to a third port, and transmitting the data flow from the third port to the second port. The method further includes determining an authenticity of the second password. After determining the authenticity of the second password, the method includes unlocking a physical lock connected to the cable.

FIELD OF THE DISCLOSURE

The present disclosure relates to network security and, moreparticularly, to a system and method which are effective to providesecurity relating to cable maintenance in a data center, including, byway of example, between enterprise storage systems and SAN switches.

BACKGROUND OF THE DISCLOSURE

In a network-based storage system, such as a Storage Area Network (SAN),a source computer transmits data to one or more storage devices. Thedata travels from the source computer, through a switch, along one ormore cables, to the storage device. The switch, cables, and storagedevices are often located within a designated room or data center.Maintenance of devices and their interconnections can result ininadvertent or malicious disruption of healthy connections while atechnician is ostensibly present for one purpose but causes adisconnection or other disruption beyond the purpose of his visit.

It is with respect to these and other considerations that the disclosuremade herein is presented.

SUMMARY OF THE DISCLOSURE

According to a basic aspect of the disclosure, a method for providingcable security in a network is described. The method comprises receivinga request to remove a cable, where the request includes a first passwordand a second password, and wherein the cable connects a first port and asecond port. The method further comprises determining a firstauthenticity of the first password. The method further comprises, afterdetermining the first authenticity of the first password: suspending adata flow through the cable, virtually mapping, by a storage deviceconfiguration unit, the first port to a third port, and transmitting thedata flow from the third port to the second port. The method furthercomprises determining an authenticity of the second password. The methodfurther comprises, after determining the authenticity of the secondpassword: unlocking a physical lock connected to the cable.

In more particular implementations in accordance with the foregoingmethod, one or more of the following can be performed, including: (a)maintaining another lock can be in a locked position which is connectedto another cable; (b) suspecting data flow through the cable bysuspending the data flow through the first port; (c) prior to receivingthe request for authenticating the first password, establishing a fourthport to transmit data redundantly; (d) prior to receiving the requestauthenticating the first password, transmitting the data flow from thefirst port to the second port; (e) performing the virtually mapping stepby assigning a virtual address to the first port and to the third port;(f) defining the first and second passwords as one, complex passwordassociated with the cable; (g) defining further passwords using ahardware generator (e.g., third, fourth and fifth passwords) andblocking further ports (e.g., third and fourth ports) if the passwordsare not authenticated in the manner described herein for the first andsecond passwords; (h) combinations of the foregoing additional facetsand steps.

In regard to implementations in which a complex password is defined,methods in accordance with broad aspects of this disclosure can include(i) prior to receiving the request, establishing a complex passwordduring an initial set up of the network; (ii) generating the complexpassword by a key generator. Again, these can be in combination with thebasic aspect of this disclosure described above or any of the moreparticular implementations noted above.

In accordance with another aspect of the disclosure, a method forproviding cable security in a network is described. The method comprisesreceiving a request to remove a cable in a data center, wherein therequest includes a password, and wherein the cable connects a first portand a second port. The method further comprises determining anauthenticity of the password. When the password is determined to beauthentic, the method suspends a data flow through the cable, maps, by astorage device configuration unit, the first port to a third port, andtransmits the data flow from the third port to the second port. In amore particular implementation, prior to receiving the request, themethod can include the step of transmitting the data flow from the firstport to the second port.

In accordance with another aspect of the disclosure, a network cablesecurity system is described. The network cable security system includesa memory configured to store a list of passwords and a storage deviceconfiguration unit configured to be in communication with the memory.The storage device configuration unit is configured, such as by aprocessor executing code therein, to be effective to receive a requestto remove a first cable, wherein the request includes a first passwordand a second password, and wherein the first cable connects a first portand a second port. The storage device configuration unit is furtherconfigured, such as by a processor executing code, to be effective toanalyze the list of passwords in the memory to determine a firstauthenticity of the first password. After determination of the firstauthenticity of the first password, the storage device configurationunit, through it configuration by code, is effective to suspend a dataflow through the cable, virtually map the first port to a third port,and transmit the data flow from the third port to the second port. Thestorage device configuration unit is further configured by code to beeffective to analyze the list of passwords to determine an authenticityof the second password, and, after determination of the authenticity ofthe second password, the storage device configuration unit unlocks aphysical lock connected to the cable by executing code which configuresthe configuration unit for that purpose.

16. In more particular implementations, systems in accordance with thisdisclosure can be configured to programmatically implement steps asdescribed above, using code from a memory which is executed in at leastone processor of a storage device configuration unit of the typedescribed above and herein.

These and other aspects, features, and advantages can be appreciatedfrom the accompanying description of certain embodiments according tothe present disclosure and the accompanying drawing figures and claims.

BRIEF DESCRIPTION OF THE DRAWING FIGURES

FIG. 1 is a system diagram of a system effective to facilitate networkcable security in accordance with one or more disclosed embodiments;

FIG. 2 is a system diagram of a system effective to facilitate networkcable security in accordance with one or more disclosed embodiments;

FIG. 3 is a system diagram of a system effective to facilitate networkcable security in accordance with one or more disclosed embodiments; and

FIG. 4 is a process flow diagram of an exemplary routine forfacilitating cable security in a network;

in accordance with one or more disclosed embodiments.

DESCRIPTION OF CERTAIN EMBODIMENTS OF THE DISCLOSURE

FIG. 1 illustrates a network cable security system 100 in accordancewith one or more embodiments according to the disclosure. Network cablesecurity system 100 includes a storage administrator 118 effective tocommunicate with a source computer 114. Storage administrator 118 isresponsible for managing and configuring storage disks to customersremotely. A storage device configuration unit 110 is in communicationwith source computer 114. In some implementations, the administrator 118is a person, but the actions described herein by the administrator canbe made by a machine executing code that responds to requests in aprogrammatic way, in accordance with a prescribed configuration responseor by operation of an inference engine executing therein.

Network cable security system 100 further includes a data center 130schematically shown separate from storage administrator 118 with use ofdoor 120, as the data center can be remote from the administrator 118.Data center 130 includes a switch 152 in communication with a storageunit 132. Switch 152 includes ports 134, 136 and 138. Storage unit 132includes ports 140, 142, and 144. Switch 152 communicates with storageunit 132 through one or more cables 146, 148, 150. Cables 146, 148, 150are, for example, electrical or optical cables. Cables 146, 148 and 150,connect ports 134 with 140, 136 with 142, and 138 with 144,respectively. In some examples, cables 146, 148, 150 are fiber cablesused between a storage attached network (SAN) switch and a storagesystem, cache cables used to flush data from storage memory to storagedisks, or disk shelf cables. Moreover, while the present discussion ismade in relation to switches and storage units, it will be apparent thatother hardware devices are typically included in the data center 130 andare connected to further hardware devices with cables, and thedescription herein should be understood as being an example ofinterconnected hardware components within a data center to be servicedby a technician and not being a limitation on the more general kinds ofhardware devices to which the present disclosure is more generallydirected.

A physical lock 128 is connected to one or more cables, and locks one ofthe cables to a port. In the example shown, lock 128 locks cable 146 toport 134 of switch 152 and to port 140 of storage unit 132. A hardwareengineer 106 works in data center 130 and has available to him or her aterminal 102 for communicating beyond the data center, such as to theadministrator 118. Hardware engineer 106 is responsible for performinghardware related activities such as replacing storage disks, cables,motherboards, batteries, etc. Hardware engineers have access to datacenters which have different types of hardware that can belong tomultiple entities and be under the management of many different hardwareengineers. In some examples, hardware engineer 106 and systemadministrator 118 are associated with different entities.

Storage device configuration unit 110 includes at least one processorand a memory which stores code. The code is used by the processor toconfigure the storage device configuration unit to perform multiplefunctions. First, the storage device configuration unit 110, in responseto the code executing therein, communicates with terminal 102 through acommunication link 108. Storage device configuration unit 110communicates with lock 128 through a communication link 122. Storagedevice configuration unit 110 communicates with switch 152 through acommunication link 124. In operation, storage administrator 118 controlssource computer 114 to transmit data over communication link 126 toswitch 152. Switch 152, in turn, transmits the data over the one or morecables 146, 148, 150 to storage unit 132. The transmitting of data isillustrated in FIG. 1 with the shading of cable 146 and illustrates datamoving in any direction.

FIG. 2 illustrates a network cable security system 100 in accordancewith one or more embodiments of the disclosure. In examples wherehardware engineer 106 wants to remove cable 146, hardware engineercommunicates that request to remove cable 146 to storage administrator118. Storage administrator 118, in turn, transmits a request including apassword 206 to storage device configuration unit 110, either due tohuman operator action or programmatically by code executing at acomputing device comprising the administrator 118. Hardware engineer 106further transmits a request including a password 204 to terminal 102.Terminal 102 then transmits password 204 to storage device configurationunit 110. Storage device configuration unit 110, executing code soconfigure it for processing the so-transmitted (and now received)password, analyzes a list of passwords 210 in a memory 212. Storagedevice configuration unit 110, through the execution of further code,then authenticates either, or both, passwords 204 and 206. In exampleswhere storage device configuration unit has not authenticated bothpasswords 204, 206 yet hardware engineer 106 attempts to remove cable146, storage device configuration unit 110 is configured, by code, togenerate an alarm 202. In these examples, lock 128 in maintained in thelocked position and source computer 114 continues to transmit datathrough port 134 and cable 146. In some examples, storage deviceconfiguration unit 110 is configured by code to generate alarm 202 afterstorage device configuration unit 110 has failed two or moreauthentication attempts of passwords 204, 206. Alarm 202 is sent to amonitoring team to investigate data center 130.

In examples where storage device configuration unit 110 authenticatespassword 206 from storage administrator 118, storage deviceconfiguration unit 110, suspends data flow through port 134 and therebycable 146 as the action it is configured to take by code executingtherein. Through further code being executed, storage deviceconfiguration unit 110 virtually maps port 134 to port 136, in memory212, and starts read and write operations through port 136 and cable148. In some examples, both port 134 with cable 146, and port 136 withcable 148, are initially established to transmit data redundantly. Inother examples, port 138 and cable 150, serve and remain as a redundantpath for port 134 and cable 146, while data transmits through port 136and cable 148. The unit 110 can have modes configured and settable toimplement a solution in accordance with these differing examples. Ineither case, by storage device configuration unit 110 virtuallyremapping port 134 to port 136, a redundant path is maintained.

As discussed above, storage device configuration unit 110 virtually mapsdata flow from port 134 of switch 152, to port 136 of switch 152. Thevirtual mapping is illustrated by map 208. In this way, data continuesto flow from source computer 114, through switch 152 to storage unit132, even if cable 146 has been removed. Data throughout can bemaintained and data corruption can be avoided in accordance with thisscheme. In an example, storage device configuration unit 110 maps port136 to have the same address or Worldwide Name (WWN) as port 134.Connected systems, such as source computer 114, are indifferent to thechange to the path due to the removal of cable 146 and will continuetransmitting data to the new virtual port 136.

If the code executing in the storage device configuration unit 110 doesnot authenticate password 204 entered by hardware engineer 106, datawill continue to flow from source computer 114, through switch 152, port136, and cable 148 to storage unit 132. In this example, where password206 has been authenticated, but password 204 from hardware engineer 106has not been authenticated, lock 128 is maintained in a locked position.

In examples where storage device configuration unit 110 authenticatesboth password 206 and password 204, storage device configuration unit isconfigured by code to transmit an unlock signal over communication link122 to unlock physical lock 128, as shown as unlocked physical lock 214.Any locks connected to cables 148 and 150 are maintained in a lockedposition.

In some examples, password 204 and password 206 form, in combination, asingle complex password. In some examples, passwords 204 and 206 areassociated with cable 146 during initial set up or configuration of datacenter 130. In one example, a key generator 216 is used to generatepasswords 204 and 206. Storage device configuration unit 110 isconfigured to generate alarm 202 to notify a management team that dataflow through port 134 has been suspended. In some examples, hardwareengineer 106 can have an appropriate password for port 136 but not forport 134. In these examples, an attempt to remove cable 146, connectedto port 134, will not result in authentication of password 204.

FIG. 3 illustrates a network cable security system 100 in accordancewith one or more embodiments of the disclosure. In examples wherehardware engineer 106 wants to add a new cable to data center 130,hardware engineer 106 transmits a password 302 through terminal 102 tostorage device configuration unit 110, which can be the same as the unitpreviously described. In some embodiments, all ports are physicallylocked by default. Storage administrator 118 also transmits a password304 to storage device configuration unit 110. Storage deviceconfiguration unit 110 then analyzes list of passwords 210 andauthenticates either or both of passwords 302, 304. In examples whereeither password 302, 304 is not authenticated, storage deviceauthentication unit blocks port 134 from transmitting data and generatesalarm 202. In this way, if hardware engineer 106 is a malicious actorwishing to transmit data to or receive data from data center 130,blocking of port 134 prevents the malicious actor from transmitting orreceiving data.

Among other potential benefits, a system in accordance with thedisclosure yields increased security for cables in a data center. Whencables are removed, because of the described mapping, the systemmaintains consistent data throughput without causing data leakage,corruption, loss, slowness, or system degradation. Further, even if botha cable and its redundant cable are removed, because of the describedmapping, a virtual path is available to maintain data flow. A virtualpath is created to reroute data that was being transmitted through aphysical path.

A convention system, without the benefit of this disclosure, can resultin corrupt data storage, because of attempts to store data while aparticular cable is removed. For example, if a cache cable is removedwithout preparation, data might not be flushed from memory to harddisks, resulting in data being lost. Moreover, a conventional system canresult in system degradation or slowness, due to queued operationsproduced from a decreased number of paths. Virtually remapping allowsfor reuse of healthy ports because data that was using a disconnectedport through a removed cable, will use another healthy port and anothercable.

The system can be used during hardware maintenance or a physical upgradeof a storage system where replacing or adding of new cables occur. Insome examples, where two paths are used to redundantly transmit data,and one cable breaks, the system will help avoid the possibility of ahardware engineer removing the healthy cable. Further, a hardwareengineer in a shared data center will be prevented from removing acritical cable in a system they do not support.

The system can avoid the problem of an unauthorized hardware engineerbeing able to remove any cable from a storage system, even in thesituation in which the data center 130 is shared by multiple entitieswith the hardware engineer having access to more physical hardwarecomponents than are within the ambit of his task or responsibilities.Further, even if the hardware engineer previously had an appropriatepassword, requiring authentication of both the password from thehardware engineer and the system administrator avoids the possibility ofa hardware engineer removing a cable after his authority to remove thecable has terminated. A hardware engineer is prevented from selectingand removing an incorrect component. Human mistakes in removing cablescan also be avoided and employee hours to identify data transmissionproblems can be reduced. Coordination among a system administrator andhardware engineer is facilitated and storage support teams are aware ofwhat the hardware engineer will do even before he chooses to remove acable. The storage support team is outside the data center, an operationmanagement team is responsible for hardware and a security team isresponsible to catch unauthorized persons. In some examples, all ofthese teams are notified by the alarm. Use of a complex password, withparts being used from both the storage administrator, and the hardwareengineer, ensures that there is coordination among these entities.Authentication of both passwords is needed to redirect data and for thecable to be physically unlocked.

From the foregoing, it should be understood that the described methodfor providing cable security in a network can be part of a SANInfrastructure between SAN switches and Enterprise Storage Systems. Arequest to remove a cable received at a system configured as describedherein includes a first password and a second password. The cableconnects a first port (e.g., of device A) and a second port (e.g., ofdevice B). The ports can be of any of the devices mentioned above orother hardware components that might be located within the data center130. After determining a first authenticity of the first password, dataflow is suspended from flowing through the cable whose removal requesthas just been authenticated, causing the data to virtually map to ahealthy port which utilizes the same identifications just made bystorage device configuration unit 110. In particular, the first port ismapped to a third port which can be any available healthy port with lowload and data flow is transmitted from this third port (that is, fromdevice A) to the second port (of device B). As described above, anauthenticity of a second password has to be determined by the storagedevice configuration unit 110. Upon making this determination, aphysical lock connected to the cable is automatically unlocked by thesystem without human user intervention, that is to say, at the commandof the program running in the configuring unit 110.

As described above, each hardware component is physically locked withrequired the first password and second password which must beauthenticated in order to release it, including when there are multiplecomponents in a single device, such as a rack, blade, etc.

FIG. 4 is a process flow diagram illustrating an exemplary routine 400for facilitating cable security in a network as was shown and describedin FIGS. 1-3 . At 402, routine 400 performs an initial set up of a datacenter to associate a first and second password with a cable. This canbe part of the storage device configuration unit 110, namely, part ofthe code provided to its processor for execution therein. At 404,routine 400 receives a request to remove the first cable, such as amessage from the terminal 102 to the storage device configuration unit110. The request includes the first and second password and, forinstance can come from the terminal 102 located within the data center130. The cable connects a first port with a second port. At 406, routine400 executing in the storage device configuration unit 110 determines anauthenticity of the first password. After determination of the firstauthenticity of the first password as shown in subroutine 408, theroutine 400 includes program code operative to suspend a data flowthrough the cable at 410, virtually map the first port of the third portat 412, and transmit the data flow from the third port to the secondport at 414. After 406, the code which implements routine 400 branchesto 416, where the code configures the routine 400 to determine a secondauthenticity of the second password. After determination of the secondauthenticity of the second password as shown in subroutine 418, theroutine 400 of the storage device configuration unit 110 unlocks aphysical lock connected to the cable at 420. The process ends there, butas will be understood, further password keys can be provided, one afteranother, to authorize further cable and device removals, consistent withthe disclosure above. Importantly, the authentication of one passwordpair is suitable for unlocking a given cable or device and is notoperative to unlock any other device just because the hardware engineerprovide an authenticated password for one connection.

The terms “a,” “an,” and “the,” as used in this disclosure, means “oneor more,” unless expressly specified otherwise.

The term “backbone,” as used in this disclosure, means a transmissionmedium or infrastructure that interconnects one or more computingdevices or communication devices to provide a path that conveys datapackets and instruction signals between the one or more computingdevices or communication devices. The backbone can include a network.The backbone can include an Ethernet TCP/IP. The backbone can include adistributed backbone, a collapsed backbone, a parallel backbone or aserial backbone.

The term “bus,” as used in this disclosure, means any of several typesof bus structures that can further interconnect to a memory bus (with orwithout a memory controller), a peripheral bus, or a local bus using anyof a variety of commercially available bus architectures. The term “bus”can include a backbone.

The term “communicating device,” as used in this disclosure, means anycomputing device, hardware, or computing resource that can transmit orreceive data packets, instruction signals or data signals over acommunication link. The communicating device can be portable orstationary.

The term “communication link,” as used in this disclosure, means a wiredor wireless medium that conveys data or information between at least twopoints. The wired or wireless medium can include, for example, ametallic conductor link, a radio frequency (RF) communication link, anInfrared (IR) communication link, or an optical communication link. TheRF communication link can include, for example, WiFi, WiMAX, IEEE802.11, DECT, 0G, 1G, 2G, 3G, 4G or 5G cellular standards, or Bluetooth.A communication link can include, for example, an RS-232, RS-422,RS-485, or any other suitable interface.

The terms “computer,” “computing device,” or “processor,” as used inthis disclosure, means any machine, device, circuit, component, ormodule, or any system of machines, devices, circuits, components, ormodules that are capable of manipulating data according to one or moreinstructions. The terms “computer,” “computing device” or “processor”can include, for example, without limitation, a processor, amicroprocessor (X), a central processing unit (CPU), a graphicprocessing unit (GPU), an application specific integrated circuit(ASIC), a compute core, a compute machine, a general purpose computer, asuper computer, a personal computer, a laptop computer, a palmtopcomputer, a notebook computer, a desktop computer, a workstationcomputer, a server, a server farm, a computer cloud, or an array orsystem of processors, Xs, CPUs, GPUs, ASICs, general purpose computers,super computers, personal computers, laptop computers, palmtopcomputers, notebook computers, desktop computers, workstation computers,or servers.

The term “computer-readable medium” or “computer-readable storagemedium,” as used in this disclosure, means any non-transitory storagemedium that participates in providing data (for example, instructions)that can be read by a computer. Such a medium can take many forms,including non-volatile media and volatile media. Non-volatile media caninclude, for example, optical or magnetic disks and other persistentmemory. Volatile media can include dynamic random-access memory (DRAM).Common forms of computer-readable media include, for example, a floppydisk, a flexible disk, hard disk, magnetic tape, any other magneticmedium, a CD-ROM, DVD, any other optical medium, punch cards, papertape, any other physical medium with patterns of holes, a RAM, a PROM,an EPROM, a FLASH-EEPROM, any other memory chip or cartridge, a carrierwave as described hereinafter, or any other medium from which a computercan read. The computer-readable medium can include a “cloud,” which caninclude a distribution of files across multiple (e.g., thousands of)memory caches on multiple (e.g., thousands of) computers.

Various forms of computer readable media can be involved in carryingsequences of instructions to a computer. For example, sequences ofinstruction (i) can be delivered from a RAM to a processor, (ii) can becarried over a wireless transmission medium, or (iii) can be formattedaccording to numerous formats, standards or protocols, including, forexample, WiFi, WiMAX, IEEE 802.11, DECT, 0G, 1G, 2G, 3G, 4G, or 5Gcellular standards, or Bluetooth.

The term “computing resource,” as used in this disclosure, meanssoftware, a software application, a web application, a web page, acomputer application, a computer program, computer code, machineexecutable instructions, firmware, or a process that can be arranged toexecute on a computing device or a communicating device.

The term “computing resource process,” as used in this disclosure, meansa computing resource that is in execution or in a state of beingexecuted on an operating system of a computing device. Every computingresource that is created, opened or executed on or by the operatingsystem can create a corresponding “computing resource process.” A“computing resource process” can include one or more threads, as will beunderstood by those skilled in the art.

The term “database,” as used in this disclosure, means any combinationof software or hardware, including at least one computing resource or atleast one computer. The database can include a structured collection ofrecords or data organized according to a database model, such as, forexample, but not limited to at least one of a relational model, ahierarchical model, or a network model. The database can include adatabase management system application (DBMS). The at least oneapplication includes, but is not limited to, a computing resource suchas, for example, an application program that can accept connections toservice requests from communicating devices by transmitting backresponses to the devices. The database can be configured to run the atleast one computing resource, often under heavy workloads, unattended,for extended periods of time with minimal or no human direction.

The terms “including,” “comprising” and variations thereof, as used inthis disclosure, mean “including, but not limited to,” unless expresslyspecified otherwise.

The term “server,” as used in this disclosure, means any combination ofsoftware or hardware, including at least one computing resource or atleast one computer to perform services for connected communicatingdevices as part of a client-server architecture. The at least one serverapplication can include, but is not limited to, a computing resourcesuch as, for example, an application program that can accept connectionsto service requests from communicating devices by transmitting backresponses to the devices. The server can be configured to run the atleast one computing resource, often under heavy workloads, unattended,for extended periods of time with minimal or no human direction. Theserver can include a plurality of computers configured, with the atleast one computing resource being divided among the computers dependingupon the workload. For example, under light loading, the at least onecomputing resource can run on a single computer. However, under heavyloading, multiple computers can be required to run the at least onecomputing resource. The server, or any if its computers, can also beused as a workstation.

Devices that are in communication with each other need not be incontinuous communication with each other, unless expressly specifiedotherwise. In addition, devices that are in communication with eachother may communicate directly or indirectly through one or moreintermediaries.

Although process steps, method steps, algorithms, or the like, may bedescribed in a sequential or a parallel order, such processes, methodsand algorithms may be configured to work in alternate orders. In otherwords, any sequence or order of steps that may be described in asequential order does not necessarily indicate a requirement that thesteps be performed in that order; some steps may be performedsimultaneously. Similarly, if a sequence or order of steps is describedin a parallel (or simultaneous) order, such steps can be performed in asequential order. The steps of the processes, methods or algorithmsdescribed herein may be performed in any order practical.

When a single device or article is described herein, it will be readilyapparent that more than one device or article may be used in place of asingle device or article. Similarly, where more than one device orarticle is described herein, it will be readily apparent that a singledevice or article may be used in place of the more than one device orarticle. The functionality or the features of a device may bealternatively embodied by one or more other devices which are notexplicitly described as having such functionality or features.

The subject matter described above is provided by way of illustrationonly and should not be construed as limiting. Various modifications andchanges can be made to the subject matter described herein withoutfollowing the example embodiments and applications illustrated anddescribed, and without departing from the true spirit and scope of theinvention encompassed by the present disclosure, which is defined by theset of recitations in the following claims and by structures andfunctions or steps which are equivalent to these recitations.

What is claimed is:
 1. A method for providing cable security in anetwork of computing devices connected by one or more physical cables,the method comprising: receiving a request to remove a cable among theone or more physical cables, where the request includes a first passwordand a second password, and wherein the cable connects a first port and asecond port, wherein the first and second password form one complexpassword associated with the cable; prior to receiving the request,establishing the complex password during an initial set up of thenetwork, wherein the complex password is generated by a key generator;determining, in response to the request, a first authenticity of thefirst password; after determining the first authenticity of the firstpassword suspending a data flow through the cable; virtually mapping, bya storage device configuration unit, the first port to a third port; andtransmitting the data flow from the third port to the second port;determining an authenticity of the second password; and afterdetermining the authenticity of the second password, unlocking aphysical lock connected to the cable thereby allowing the cable to bedisconnected from one or more of the first port and the second port. 2.The method of claim 1, further comprising maintaining another lock,connected to another cable, in a locked position.
 3. The method of claim1, wherein suspending the data flow through the cable includessuspending the data flow through the first port.
 4. The method of claim1, further comprising, prior to receiving the request, establishing afourth port to transmit data redundantly for the first port.
 5. Themethod of claim 1, further comprising, prior to receiving the request,transmitting the data flow from the first port to the second port. 6.The method of claim 1, wherein virtually mapping includes assigning avirtual address to the first port and to the third port.
 7. The methodof claim 1, wherein the first is a first request, and the method furthercomprises receiving a second request to add a second cable to a fourthport in the network, wherein the second request includes a thirdpassword.
 8. The method of claim 7, wherein the third password isreceived from a hardware engineer, and wherein the method furthercomprises: determining that the third password is not authentic; andblocking the fourth port.
 9. The method of claim 7, wherein the thirdpassword includes a fourth password received from a hardware engineerand includes fifth password received from a system administrator,wherein the method further comprises: determining that either the fourthor the fifth password is not authentic; and blocking the fourth port.10. A network cable security system for providing cable security in anetwork of computing devices connected by one or more physical cables ina data center, the system comprising: a memory configured to store alist of passwords; a storage device configuration unit configured to bein communication with the memory, the storage device configuration uniteffective to: receive a request to remove a first cable among the one ormore cables, wherein the request includes a first password and a secondpassword, and wherein the first cable connects a first port and a secondport, wherein the first and second password form one complex passwordassociated with the cable and wherein, prior to receipt of the request,the storage device configuration unit is effective to establish thecomplex password during an initial set up of the network, wherein thecomplex password is generated by key generator; analyze the list ofpasswords in the memory to determine a first authenticity of the firstpassword; after determination of the first authenticity of the firstpassword: suspend a data flow through the cable; virtually map the firstport to a third port; and transmit the data flow from the third port tothe second port; analyze the list of passwords to determine anauthenticity of the second password; and after determination of theauthenticity of the second password, the storage device configurationunit effective to unlock a physical lock connected to the cable, therebyallowing the cable to be disconnected from one or more of the first portand the second port.
 11. The network cable security system of claim 10,wherein suspension of the data flow through the cable includessuspension of the data flow through the first port.
 12. The networkcable security system of claim 10, wherein, prior to receipt of therequest, the storage device configuration unit establishes a fourth portto transmit data redundantly for the first port.
 13. The network cablesecurity system of claim 10, wherein, prior to receipt the request, asource computer transmits the data flow from the first port to thesecond port.
 14. The network cable security system of claim 10, whereinthe virtual map includes assignation of a virtual address to the firstport and to the third port.